feat(security): trust resource URLs as URLs. (#10220)

Resource URLs are strictly "more" trustworthy than plain URLs, so trusting them maintains the same level of security while avoiding to break people when we downgrade a resource URL context to a plain URL context.

modules/@angular/platform-browser/src/security/dom_sanitization_service.ts

@@ -165,7 +165,10 @@ export class DomSanitizationServiceImpl extends DomSanitizationService {
         this.checkNotSafeValue(value, 'Script');
         throw new Error('unsafe value used in a script context');
       case SecurityContext.URL:
-        if (value instanceof SafeUrlImpl) return value.changingThisBreaksApplicationSecurity;
+        if (value instanceof SafeResourceUrlImpl || value instanceof SafeUrlImpl) {
+          // Allow resource URLs in URL contexts, they are strictly more trusted.
+          return value.changingThisBreaksApplicationSecurity;
+        }
         this.checkNotSafeValue(value, 'URL');
         return sanitizeUrl(String(value));
       case SecurityContext.RESOURCE_URL: